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METHOD AND SYSTEM OF SECURITY LOCATION DISCRIMINATION 

FIELD OF THE INVENTION 

The invention relates generally to computer systems, 
5 and more particularly to an improved security model for 
computer systems. 



BACKGROUND OF THE INVENTION 

Current computer security systems determine a user' s 

10 access to network resources based on permissions granted 
according to the user's credentials. This user-centric 
model provides a great deal of flexibility for the 
increasingly mobile/remote user population. For example, 
remote access servers and Internet connectivity allow a 

15 user to transparently access corporate resources from 
virtually anywhere. 

While this flexibility provides advantages to both 
the user and the owner of the network, (e.g., a corporate 
enterprise) , such increased availability and easy 

20 connectivity inherently elevates the risk of unauthorized 
access. Although encrypted network communication 
prevents wire eavesdropping, allowing remote access to 
sensitive corporate resources still has an intrinsic 
risk. Indeed, regardlessl of how protected the resources . 

25 (such as files) are= whenvihey are transmitted, there is 
still likely to be -'a^^'subiset of sensitive corporate 
resources that 1;h^7;|Cbmpdn does not want authorized users 
to be accessing fj^pm'^ust: anywhere. 

For example, a. .laptop-computer user may 

30 Inadvertently display highly confidential corporate^ 

strategy to unintended viewers, such as when working on 
an airplane. New ,J wider- angle laptop screens make it 
even more difficult- to prevent other passengers from 
peering at the monitor contents. Similarly, with the 
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escalating population of mobile:, .osers , : the theft or loss 
of a notebook coiapater. -increasingly threatens the 
security of sensitive corporate data. ::A user/ s account 
and password also may-'be- stolen/ particularly, if 
5 maintained -on a stolen laptop. '^ -As long as ^the user .has 
the proper credentials, existing, ^security. mechanisms make 
it simple to remotely download :files and perform other 
• remote" actions, thus contributing ^to these and other .. 
'security • risks . ' ' . ; -^^ . 

10 In short, : remote access -servers _ (RAS) and Internet 

connectivity enable users :=t6 -access 'corporate resources 
from virtually- any^ loca-t ion." ^.However, r certain locations 
(particularly remote^ locations) • are .:less . secure than 
others. For example, because of portcibility and 

15 increased access, files : downioaded.jto ;a:' laptop computer 
are easier to steal than- files ..on va desktop machine in a 
corporate office, Sim.ilarly/ wunauthbrized persons may 
obtain user accounts and passwords, whereby it is most 
likely tli^K^^ 1;ili^^y ... wil^^^ 

20 resources f rom a remote^ iocationvJ; ; : . l ; 

SUMMARY OF THE INVENTION . 

Briefly, the -present 'invention provides an improved 
computer netv/ork security :^-ystem"and method wherein. / 

25 access to network resources is based on information ? that 
'includes the' location of the. connecting :user. 
Ordinarily, the less trusted* the:. -location of ithe user, 
the more the access rights' assigned to the user are 
restricted. A discrimination mechanisrti determines the 

30 location of a user with respect -to categories of a 
security policy, such as -to- "distinguish- ilocal users, 
intranet users and dial-up users from one another, A 
security provider establishes the access rights of the 
user such as by setting up an access token for the user 
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based on ' information: iJicluding the location and the « 
user's creidentials • An- enrf^rcement meehanisni uses the 
access rights set up or^i: ths user to, determine whether to 
grant or deny accesses to resources . The location-based 
5 access rights may be restricted with respect ,to the 
user's normal .access^ -ri;gh^ts7 jin. accordance with the 
security policy- Fox. /;examp-lsyvcthe' processes of a local 
us er"^ may not be res tricteJd^. beyond the user-b^sed. security 
information in the user's normal access token, . while the 

10 same., user connecting :-via-:^a ^^dial-up^ will have 

restricted- proces:ses• ^.:'Pref arable,: restricted tokens are 
used: to implement :^theirl6'^cat ion-based discrimination by 
restricting- the access, of. -users connecting from less 
trusted locations : v q ea^j^,^-. . 

15 ^ Other obj ect s : andbadv'antages wi 11 become , apparent 

from the following detaii;©d.;:description when, taken in. 
conjunction ■wi:i:h.:thei^dr;awings, in which:.; : 

M ; DRIEE^ :I)ESCRIETJ:QN;:QF THE DRA]&fINGS 
20 FIGURE 1 is a block: diagramj 'representing a computer ^ 

system into which the present invention may be 

incorporated; ' .■-i'^:J^l:;^\l._ii;;''^^ ■ 

-FIG. 2 is a. block: diagram :gener ally representing 

virtual locations f r<)m.;:Whi:ch a; user may connect to a 
25 network; : : i: :; r , - :: . ; - 

FIG. - 3 is 3 f low i diagz^am representing the general 

steps taken to .determine, the. user' s location and access 

level of a user base^li on that location in accordance with 

one aspect /of the present: invention; 
30 FIG. 4 is block diagram generally representing the 

various component;5„ v for : establishing -user access based on 

location information in accordance with one aspect of the 

present invention; 
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FIGS. 5 — 6 comprise a low.rdi.agram representing the 
general steps taken to determine a-user'-s .level of trust 
based on location information in:..accordance with one 
aspect of the present invention; : • 
5 FIG- 7 is a block diagramn generally representing a 

mechanism determining a ;user:':s..raccess rights , in 
accordance with an aspect of a the, present invention; 

FIG, 8 is a block .diagir.amri.gen.erally representing the 
creation of a restricted token; from an existing. token in 
10.. accordance with one aspect of the present, invention; 

FIG- 9 is a block dia,gr.am. generally representing the 
various components for determining whether; a process may 
access a resource; - . . 

FIGS. 3.0 - 11 comprise--*a. f low. dia'gram representing 
15 the general steps taken tp, .create;, a restrict-^.d token from^ 
an existing token in. acccvrdance-with: on^ aspect of the 
present invention; 

FIG. 12 is a** ;blo:^k^'^^^ representing a 

process having a restricted. ;tp.ken -assscci^a^^ therewith 
20 attempting to access a rresour.c.e ^.in c.ccordance with one 
aspect of the present -inventi on:;- • 

FIG , 13 is a block . diagram ..generaily, .representing 
the logic . for determindng access .to an object of a 
process having a restrictedj.token associated therewith in 
25 : accordance with : an aspect of , the present invention; 

FIG. 14 is -a - flow : diagram, representing the^ , general 
. steps taken , when determining, whether to grant a process 
access to. a resource.-in accordance with an. aspect ^of the 
present invention; / i. - - 

30 FIG. 15 is a diagram representing the comnunication 

between a client a server, in a chall:enge'- response 
authentication protocol;,. . : 

FIG. 16 is a block diagram representing the -creation 
of a restricted ■ token based on authentication credentials 

' ' ^ — - 4 - : . 
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and location discrimination in accordance with one aspect 
of the present inventioil;' ■* 

FIG. 17 is -a diagram representing the communication 
for authenticating a client at a server according to the 
Kerboros authentication protocol; 

FIG. 18 is a' block-diagram representing the creation 
of a restricted token>based on an authentication ticket 
and location discrimination in accordance with one aspect 
of the; present invention; " 

FIG. 19 is a diagraia representing the communication 
for authenticating a client at a server according to the 
SSL protocol; and 

FIG. 20 is a block diagram representing the creation 
of a restricted- token based on an authentication 
certific-are and" lo<:ation -discriminatipn in accordance 
with one a^spect oE> the preisent invention. 

: n QETA3MJ!I>r.:DESCRIPTION 

' Exempl ary Opera ting ^:Ed\xd)r0nnfent 

20 Figure -1' and the ^f oliowing discussion are intended 

to provide a brief general -description of/, a suitable 
computing environment >'±n'v which the' invention may be 
implemented. ^ Although not required>> , the. invention will 
-be described in the general .-context of computer- 

25 executable instructions, vsuch e a s^ program^ modules, being . 
executed by a personal computerv ' ■Generally, program 
modules include routines, . programs > objects, components, 
* data structures and the ' like that perform particular, 
tasks or implement particular abstract data types . . 

30 Moreover, those -skilled in the art will appreciate that 

the invention': may be practiced with other computer system 
configurations, including hand-held devices, multi- 
processor systems, microprocessor-based or programmable 
consumer electronics, network PCs, minicomputers, 

Best AvdL ,;;:::' Copy 
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mainframe computers and the l:ike..u:..o. The invention may also 
be practiced' in distributed^'computing envirqnments where 
tasks are performed by remote -processing .devices that are 
linked through a communications networks In a 
5 distributed computing environment,., program modules may be 
located in both -local and remote memory, storage devices. 

With reference to :FIG. .1;. an exemplary system for 
implementing'" the invention "includes a general purpose 
computing device^ in the form of: -a conventional personal 
10 computer 20 or' the like;- including -a processing unit 21, 
a system memory 22, and a system bus 23, that couples 
various system components including the. system memory to 
the processing unit 21. The system bus .23: may be any of 
several types of bus structures including a memory bus or 
15 memory controller, a peripheral- bus, ~ and .a local bus 

using any of a variety of bus ardhit:ectures . ^The .system 
memory includes' readronly memory: -CROM:)L ':2:4 and random 
access memory (RAM) 25 • ^- A/ basics i^p.ut/:6utput .. system 2 6 
(BIOS) , containing the basic "routines that help to 
20 transfer information betv/feian relements :v/i;thin-, the. personal 
computer 20, such as ■ during start-up, is stored in ROM 
24. The personal "computer 20^ m-ay . further include a hard 
disk drive 27 for reaiding from:' and v/ri ting to a hard 
disk, not shown, a magnetic disk drive 28 for reading, 
25 from or writing to a remov6i>le . magnetic disk 29, and. an 
optical disk drive 30'- for- reading- from. or. writing- to a 
removable optical disk 31 such as a CD-ROM or other 
optical media.. The hard disk drive* 2:7 ,.. magnetic disk 
drive 28, and optical disk drive .30 are connected to the 
30 system bus 23 by a hard disk drive interface 32, a 

magnetic disk drive interface 33, and an optical drive 
interface 34, respectively. The drives and their 
associated computer-readable media provide non-volatile 
storage of computer readable instructions, .data 

- 6 - 
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structures, prograiu^.modu^ie's: and other data-- for the 
personal computer 20•-;..^Al*hough^ the; -exempla environment 
described herein, employs; a hard dis-k/. ^a .removable . 
magnetic disk 29 and ia removable .optieal disk 31, it 
5 -- should be appreciated by.v'those-.skilled in the art that 
other types:, of computer =:reada:ble ^medta which can store 
data that is accessible. :by . a , computer >. - such as ■magnetic 
cassettes, f lash;, memory r. cards/: .-digital video disks , 
Bernoulli <:artridges>- random .access mempries , (:R7VMs) , 
10 read-only memories ( ROMs. I; and., the ■ like may. also be used 
in the; exemplary: operating ::envirormient . v v. . r 

A -number -of vprogram^. module3..may./fb on the 

hard disk, .'magneti'C disk , 29> : :optical . disk; ai ,- ROM 24 or 
RAM 25, > including: Jaho operating system 35. {preferably 
15 Windows NT):-, . one: ror, morel application programs . 3 6,. other 

program' modules: :3:7:: :ahd:. pcogrram; data 38^ . A :-user may - enter 
commands and irif o^im'^'tiom into thQ. -pe-r^„pna;l ;Computer. 20 
through 'input ; devices: such'..:as . a .keyboard 40 oand pointing 
device 42v.^ Other i:i^Fm:t; devi.^^ C-npt shown )- a 
20 - microphone.;... j'dystijc-kvsig^fee .p^dyr : satellite dish, ...scanner 
or the like^ Thes.ej.;^nd:vo^^e3:. input ^devices: a 
• connected to the proces:sing: unit.. 21.: through .a serial port 
interface 4 6. that ^is *:coupie.d to , the system bus, but may 
be connected by other interfaces, -such , as. a parallel 
25 port, game port, or univer;sa;i- serial bus (USB).. A monitor- 
47 or other type of "display device::; is also connected to 
the system bus 23' via. an .interface, such as a video 
adapter 48. ^..:In addition to; the monitor 47., perspnal 
computers typically include other peripheral output 
30 devices (not shown) , such as speakers and printers. 

The .personal computer; 20 may operate in a networked 
environment using logical connections to one or more 
remote computers, such, as a remote computer 49. The 
remote computer 49. .may be another personal computer, a 

- 7 - 
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server/ a router, a network ; PC, .a /peer -device or other 
common network node, and typically: includes .many or all 
of the elements described above relative to the personal 
computer 20, although only, a* memory storage device 50 has 
5 " been illustrated in FIG. 1. The logical connections. 

depicted in FIG, 1 include a local area network (LAN) 51 
and a wide area network: (Wi^N) 52. Such networking 
environments are comiaonplace in offices/ enterprise^wide 
computer -networks. Intranets and the Internet. 
10 - When used in a LAN. -networking environment, the ; 

personal computer 20 is cdnhected to the local network 51 
through a network interf ace. -ror. adapter .53. • When, used in 
a WAN networking environment, . the .-personal computer 20 
typically includes a modem 54 or other means for 
15' establishing ccmiaunications over; the v/ide area network . 
52^ such as the Internet, :^The modem- 54, :which .may be 
' internal or external,- is - connected, to the system bus 23 
via the serial port interface: 46 . . In a ^netv/orked 
enviroruaent , program - modulesl depleted relative to the 
20 personal computer 20;^ or 'portions;, thereof,- may be stored 
in the remote memory storage . device . It will be 
appreciated that the network: -connections, shown are 
exemplary - and other means of establishing a 
communications link between" .the computers may be used. 
25 ^ ^ . - 

Location Discrimination . • ^ . - , 

'In accordance with one aspect of the present 
invention, there is provided a method and system- that 
determines access to resources based on the location of a 
30 user, (in addition to the user' normal access rights 
based on the user's credentials), .^For example, valid 
users determined to be at a at a lccal, secure location 
are given their full access rights, while those at a 
remote location are given restricted access rights.. 
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Moreover, the amount ^^of . restriction may vary based on the 
type of remote access . e . :^ 

By way of example, FIG/-2 shows.a number of 
locatidhs from which a- user may connect . to a corporate 
5 network Ccomprising local machine or machines) 60. Users 
may-connect through- coiaputers; 62i - 62n..via a local area 
network (such as LAN. 51 and network interface 53 as shown 
in'FIG.'l). Other users may connect through remote 
office servers : 64i - 64^,, e,g;-,: via a Tl connection, while 
10 others may be connected through the Internet via a 

virtual private network: (VPN) 66. Still -other users may 
- connect through" any • number of .remote access servers 

(e,g., 68i -682)/ and in ^ numerous . other ways from other 
locations (not shown):, 
15 : In keeping with the invention, the level of access 

granted to a user: for accessing network resources is- 
dependent on the ? (virtual.) location from, where a given 
user is connected. - For;?; example, users connected to the 
local machine 60- via ah LAN - 62i may be given their full 
20 ' -access rights > user s : ^through; a remote of fice 64 1 somewhat 
restricted rights, . and:- users through RAS 6.81, 682 or the 
VPN 66 substantially , restricted access rights. • 
% As can be- readily^ appreciatedy as used herein, the 

term ^ location'' is a logical concept related to the . type 
25 of location connection rather than a physical concept 
related to the distance from which the coniiection. is 
originating. For example, a user can: connect to the 
network 60 -via the RAS 682. from virtually any physical 
location that has any type of telephone service. . 
30 Similarly, a user may connect from an Intranet" location 
that may be relatively- far (physically) from the. local 
machine 60. Indeed, a RAS 681, 682 dial-up user may be 
closer in physical distance than user at a remote office 
64i connecting via a Tl line, even though the dial-up user 

- 9 - 
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will ordinarily be considered .'le.ss <:secure • As such, as 
used herein, : each location from which a user may connect 
is considered a virtual location rather ^ than .a physical 
place. Notwithstanding, the! present invention may also 
5 further operate with some regard .to physical location if 
the user's physical location is actually known (e.g., via 
caller ID, the invention, may further . restrict access to 
all RAS users calling from a .cer±ain area code) . 

To accomplish location discrimination, there is 

10 provided (e.g., in- the network -machines-: 60). a mechanism / 
process 67 for reliably determining :t he location of a 
user. Note that the mechanism-/ pxoces.s::67 may comprise 
various components in one machine. ror distributed among 
numerous machines in the network. b> Moreover, as described 

15 herein, there are two different mecha,nisms for IP, address 
location discriminations. A^firstris :based on -an Internet 
'Location Service: (ILS): 69./; '.while the latrher is based on 
assigning ranges of : IP vaddr:es-'ses -.(administrated 
pref erably via the directory :Ts:exvices,):: to . clients _in 

20 various locations,^:and-:^u'sing trusted _roui:ers to prevent 
'the use of a more ' trusted IE ^^addr ess. : from a less trusted 
• location. Both approaches i:.wor-k\:on any network with, a 
routing mechanism' and well-defined,^ trusted access 
points- i:.v :: ■ 

25 A first ( ILS) way to f determine if: a user, is not in a 

trusted location is fori the : meehanj.sm 67- to check to see 
if the user is connecting through a remote, .access server 
(RAS) , and if so, -is therefore, remote and less trusted. 
To this end, when* PAS authenticates the remote user " 

30 logon, as represented by step 300 of FIG. 3, RAS assigns 
the user an Internet Protocol (IP) address and registers 
this user and -IP address with the ILS (Internet Location 
Service) 69. As shown in the flow diagram of FIG. 3, if 
the IP address is listed in the ILS (step 302), the user 
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10 



15 



20 



25 



is logged on- to thr-ough 'thi'S RAS ..cluster and is thus - 
untrusted, ■ Such users' wld.I be given restricted access, 
such as by setting a certain \reduced access level (step 
304) ^and -then- using that ..level to assign (restricted) 
access rights- (step. 310) > as described in more detail 
below"; • ■= ' = ■ • v „ 

However, if a'user';s IP^ address is not listed. in the 
ILS 69 as a RAS IP^addressv. then that user is not 
necessarily local and trusted.. By way of . example, if a 
user logs on through, a * RAS:: server in Europe, and then 
wants access therethrougfeio.; a Charlotte (North Carolina) 
domain, -the 'Charlotte RAS?. ;ILS does not - have the European 
RAS connection -listed^ with;.. its Local ILS. Accordingly, 
for a user not '-listed- .with-.' a. Local ILS 69, additional - 
information is neede* to-'-determine the user' s location. . 

One -piece^^of "addrriridnal information is: the assigned 
IP address, ^ which t±fei evaluated at jstep .306,; . If. the IP 
address- is hot^ vxthin cth&rirahge -of ' locai>;£.trusted, ~ IP 
addresses assigriedv.tjy jfehe viocal^' vtmachlnei. j. then the user is 
not- local . . AGcardin-g:ly:.,j th^e ^;mechanismo proces.s. 67.: at 
'Step 30 6 will' bra^ch-:lt6^■-^st:ep^a level, is set 

to untrusted as described. -'above .\va Lf.^ the address 

is within the. range-jof x local ,.::^trusie;d, lilPvaddr^ then 
the user is local but has not connected via RAS, and thus 
is trusted. Such users --.will ..bey giverxr normal access, such 
as by assigning the. user -a- trusted .access level, (step 
306) and then using that - ievei . to ^assign access rights 
(step 310), as:. described dn more detail below. . 

Note that -the full routing path for a connection is 
available, to a^. server,, and? thus when: determining .the 
location,' access is assigned based upon the least trusted 
location (i.e., the ^weakest link") through which a 
user' s packets -are 'being routed. Moreover, when an IP 
address is not in .a' range of ""untrusted" locations, it is 
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not asstiiaed to be within a fcrus:te:d: range., but rather 
location discrimination is. inclusiveJ xather than 
exclusive in nature, i.. e., ^a lis.t_of. trusted IP ranges is 
tested for assigning .levels 'rather .than assigning levels 
5 by omission from a. list of iintrusted* locations. 

It -should be. noted thatr 'likeC/other electronic 
security systems, in- general, -.the level, of care with 
which the present invention is used is -also responsible 
for the overall security results- For example, care 

10 should be taken when segregating a network with different 
trust levels, items should be routed appropriately, 
internal procedures should not allow someone, for 
example, to install a RAS server on a desktop machine, in 
the. corporate office for personal use, and so on. 

15 The above example provides a simplified, two-level 

local discrimination mechanism 67. Hovrever, for finer 
grained multiple trust level cohtfol, "IP "addresses may be 
assigned by servers in ranges that ' correspond to 
additional location information as to ' the location from 

20 which the user is connecting". RAS servers may^ be' further 
arranged with a location discrimination mechahi'sm' 71" to 
assign IP addresses in one range for callers f rom - 
^authorized" phone number, and another range for 
anonymous or unregistered phone numbers. Note that the 

25 mechanism / process 71 may include the same or similar 

components to the mechanism / process 67 described above, 
along with additional components, and may be within one 
machine or distributed among numerous' machines in the 
network. However, in addition to providing finer 

30 granularity, maintaining a trusted IP Address range at 

the domain server takes less time to query than checking 
with the ILS 69. Moreover, * as will become apparent 
below, to accomplish overall ' security, there are 
generally three parts of the mechanism, including a 
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global database o:f ' acMress. to location mappings,, trusted 
address assignment"- and; iseeure routers ; /.'gateways . 

The following table sets forth trust levels -and .IP 
address ranges which may ±>e. assigned to . a .user based.: on 
5 some policy arbitrarily set .up for a hypothetical . 

enterprise; Note that /.users -connecting directly (e.g., 
via a LAN interf ace card 53:) . to the local, machine -.are 
level, zero trusted -v. ' '. : ■■. ^ - r^r 



Leve 1 


,L.ocation . 


IP Address Range , 


Trust 
Level 1 

Trust 
Level 2 

Trust 
-Level 3 


Local Intranet 
users ' 

RAS Authorized 
Users - 

RAS ' Anonymous Users 


111,22.0.0-111.22.25 5.255 
111 . 24 . 0 . 0-111 .24. 12:7 . 255 

111.24.128 -'255-111.2 4.255.255 
111. 25. 0.0-111,25. 255.255 ' 



By way _of .exqLmple, FIG. 4 shows three different 
types of user connectipns via which users connect to a 
RAS server (e.g., .682) . ^A^first user connects a remote, 
computer 70i to^ the. RA.S server 682 by dialing in from a 

15 RAS-registered phone nuinber, a second user from a remote 
computer 7O2 via an. unregistered or blocked telephone 
number,, and a third user from any phone number. The 
first two ^ users have user credentials alleging that they 
are authorized users of the system, while the third user 

20 is not claiming to be an authorized user but is instead 
only attempting to ooTiTi^ct as a guest . To determine the 
access level,, the, RAS server 682 first determines the 
telephone number of the calling computer via caller ID 
74. If a telephone number is available (e.g., not 

25 . blocked by .the caller), the RAS server 682 queries a 
database (or table) 72 that maintains a list of 
registered telephone numbers that are allowed increased 
access to resources.. 
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In this manner, the user of the -remote computer 7 0i 
calling from' a registered number may be giVen greater 
access to resources than the usefr of the remote computer 
7 0- calling from an unregistered or blocked telephone 
5 ^ number-. Moreover, both may have ■ more access rights than 
a guest user 7O3 regardless of- that user' s -telephone . 
number. For example, the user of the remote computer 7O3 
may be orily allowed access to 'files on a piiblic server 
76, while the user " computer- 7O2 calling from the 

10 unregistered number may have access^to the public server 
76 and an employee server 78. -Lastly; the user computer 
70i calling fromt-the registered hiomber may have access to 
the public server 76, employee server 78- and a" ' 
confidential server 80, yet still- may not have access to 

15 a top secret' server 82, ' Such - distanct-ions enable an 

enterprise to set up any hijmbat' of- access policies. As 
can be readily appreciated> with- the above" example, 
traveling' employees would be able'^'to' call in from -an 
unregistered location and access sbme'^^empldyee-level 

20 files, (further irestricted by their user-credentials)/ 
but not confidential files. - Gonf Indent ial files could 
only be accessed 'from a user' s- home or other known 
location that has a registered telephone number, while 
top secret files are -riot "accessible via any RAS 

25 connection. 

To summarize, FIGS." 5 6 comprise an exemplary flow 
diagram showing how access levels may be assigned 
according to a predetermined policy . * If at step 500 of 
FIG. 5 a user is connecting via the local machine 60, the 

30 trust level is "set to zero at step 502, which then 

continues to step 516 where access rights- are assigned 
based (in part) on the trust level.- If not connecting 
via the local machine, however, the process / mechanism 
71 continues to FIG. 6 wherein the type of remote 
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10 . 



15 



20 



25 



connection determines the 'trust . level via an assigned IP 
address.' If at:,,steE;r52Q.-.Gf i JIG, , 6,- the user is not 
connecting via. a .dial-^up^^conneG-tion,. then step 520 
branches .,,to step 522. rwher^i-n the IP address assigned to 
the user : is -.in the- range ,:;Qf addresses reserved for Local 
Intranet users. Not^.-that iri. ,ihis^ simplified example, a 
user either connects c^irectly :,to the vl,ocal machine, via 
an Intranetr^connectipn r^^^ connection . 

I f , however step .:5;2 Or. detects that., the., user is ^ 
connecting via a dial-up^ connection, step 520 branches to 
step ^524- :tp detefmipe^vthe telephone number from which the 
conne,ctipnr;is,-.:>eing.^i!^ard§*.3 he appreciated, this 

information; mayr be^ ma^de ayailable via_ a., caller ID 
mechanism 72 pr- th%;like%;,. Step 52 6 ; tests to determine if 
the telephpn^-'numt^^e^^^^ since, there is a 

possibiLijt'Yv ti^^^^^ the ..pall er ID function 

when p^^i:gi4iatA:?>g^. tivg-j qail., op:^PP§§^'^:hy,}:, t,ha:"t the calling 
telephone ,ijS inot; Cnapcibie-.. of < aiptivatiii:^ the;:f eature (e . g . , 
the -'calii^g: :Riian%r?^^ QVt^:S>^ ^;:C^al^er-j Jl^rieq^^ area) • 

Note that, :,i f the mec^iani s;in. 72:-. ts; capable^ ; 0;f 
distinguishing, b.etwe^^^ blpck,ed calls or 

simply not 4e;teptabie-;^^ policy may 

discriminate bet>fee^,:.t^%'^-tv^ tQ^^sfit. ,a; di^ffqrent 

trust leyel., :: However^, : i-n,; t^ -^example 

telephone number is not available regardless, of. -the . 
reason, £,then ; step ^^52^^ .step _532.. where an IP 

address, is assi:gi>eci in:-the RAS. --unregi-ste 

If instead the-numbei: , is ••^valla^ step 
528 is executed, ; which. :Uses the .„i;iu^ the 
database 74 or the like to determine; ^whether the number 
is registered as that of a . predetermined trusted . 
location. Note that the location information may be 
optionally combined with the user identity at this, time, 
e.gw a user identified as UserX will be given increased 
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access if calling from his ;or /her. registered: home number, 
but no other user will receive increased access if 
calling from that number. 

If the number is appropriately registered as-. 
5 determined by step 53 0^ then-.: step -530 branches to step 

534 where an IP address; is- assigned, in the RAS registered 
user range for the * calling .computer , Otherwise, step 530 
branches to step "532 where/ :^an?: IP address is assigned jin 
the RAS 'Unregistered -user -.range • The location 

10 discrimination process /'mechanism 71 then returns to , step 
504' of FIG. 5 where the assigned addresses, will be 
evaluated by the machine that /dete.rmines access rights. 

At step 504, if the IP- address is in the range of 
local intranet users, then, step.: 504 .branches to step 506 

15 wherein the trust level is set to one . for -this user.. If 
not in" the range of local intranet U5;er:s,;. -step 508 tests 
to determine if?- the range isMwithi-h^ the -range of ..RAS 
■ registered- users If s'o, the trust :.level: is set to two 
at step 510, while i-f : hot :the^"traist\, level is set to 

20 - three at step 512 Once the triist - .le;vel is set- to a 

level from zero to three/ the vproeess ; then continues to 
step 516 wherein access rights>^are assigned based on the 
trust level' of the user in combination with the user's 
credentials, as ■"described' -iri^' more detail below, 

25 '* FIG. 7 generally ;shows :the .logic, for. determining 

access rights in- accordance with the present invention* 
A security provider 83 takes: the user credentials 90 and 
the -location information (e.^g., the trus.t. level) -92 -and 
determines the access rights 94 :f or the. user based -on 

30 that informations As described below, . in a preferred 
embodiment, the accBss rights are placed in an. "access 
token- that is associated with each^ of the user's, 
processes, and compared against- security .information 
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associated with each res'ource to determine access to that 
resource, ' - . : • . . 

Location Discrimination Using Restricted Tokens 
5 As will become apparent-,: the present invention is 

'preferablY implementecV at , the operating system level/ and 
''^ thus- covers virtually all .possible, was. to access : 

information. By way of example, s consider ..protecting a 
given file on a server . . This file may ,be ^accessed in 
10 many ways, including remote : SMB files access, via a 

script running- on the server, via an FTP server running 
on the server, via a proxyx {third machine), and so on. 
The present invention op:erat:es -- at the system level, 
making it possible to protect . virtually all ways of 
15 accessing the file.. 

The preferred s.ejGur±l2y, mode li of th^r; pre sent 
invention' that . is desicribed: herein ieyerages and extends 
the existing Windows.;.K'T setiurxty toodel-.vv- J^Pt^ithst 
there -is no intent ion. Tta "limit:, rthe,. pres^ejit, .invention to 
2 0 the Windows NT . operating s,ysLtem:,r cbut. pn: tlriB contrary, the 
• ' present' invention is oint ended T:Vt.oj::operater:With and provide 
benefits' with any mechanism :tha;t- an:;.. -som^^^ can limit 

access to resources. basBd::.;on .input inf omatipn. 

In general, in the ■rWindo.wsuNTKv.Qperati.ng system^ a 
25 user performs tasks by. accessing the. .sys.tem' s resources 
via processes (and their threads)^-. For purposes of 
simplicity herein,, a pxocess and its. threads will be 
■considered conceptually equivalent, and will thus 
hereinafter simply be referred , to as a process.. Also, 
30 the system' s .resources, including files, shared memory 

and physical devices^, .;which; in Windows .NT are represented 
by objects, will be. ordinarily referred to as either 
resources or objects herein. 

Best Available Cop 
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- When a user logs on- to -the-: Windows NT operating 
system and is- authenticated, a '.'Security, context is set up 
for- that user, which includes, building: an access token 
IQO.' As shown in the left portion of FIG, a 
5 conventional user-based access -token 100 includes a 

UserAhdGroups field -102 including^ a security identifier 
{Security ID, or^ SID)' 104 based oh the user's credentials 
and one or more group TDs 106 identifying groups - (e . g. , 
within an organization) to v/hich that user, belongs . 'The 
10 token- 100 also includes a privileges field 108 listing 
any privileges assigned to the user. : For example, one 
such privilege may give an administrative-level user the 
ability to set the system clock' -through a particular 
application programmihg interface (API), Note that . 
15 privileges over-ride access central • checks, described 
below, that are otherv/ise- performed before granting . 
access "tb^ an object. ■ .L. , • c . v. . , - 

' As' will be described in- more detail below :and as 
generally represented in FIG* :9/^ a -process 3 10 desiring 
20 acces-s- "to ' ah object 112 specif les the type of access it 
- desires (e:g. , obtain -read/write' acces a file .object) 

and provides'- its associated tokeri 100. to an object : 
■ mahageir li"4\ ' - The object 112^ has a security descriptor 
116 associated therewith, and the object manager 114' 
25 provides the security descriptor- 116 and the token 100 to 
a security^ mechanism 118.=- The contents of the. security 
•descriptor 116' are typically 'determined by the owner, 
(e.g. , creator) of the object, and generally comprise a 
(discretionary) access control list (ACL) 120 of: access 
30 control entries, and for each entryy- one or more access 
rights (allowed or denied actions) corresponding to that 
entry. Each entry comprises a type (deny or' allow) 
indicator, - flags, a security identifier (SID) and access 
rights in the form of a bitmask wherein each bit 
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corresponds to a permaasion; (e. g,, one bit for read 
access/ one for write and go:. on) . The- security mechanism 
118 -compares xthe securii.ty .^XDs . in the token 100 along with 
the type of action or actions requested by the -process 
5 110 against ; the entries in the ACL 120,. If a match is 
* found with an allowed ru^.er. or group,;, and the type of 
•access desired is allowable: for. the -user or group,; a . 
- handle to the- object ad2 is returned to. the process 110, 
/otherwise access is. denied-, . 
10 By way of example, a user ^with . a token identifying 

the user as a member of the Accounting" .group may wish 
to access a particular file object with read and. write 
access. : If the file object has.. the ;^ Accounting" group 
identifier of .type, allow in an' entry of its ACL 120 and 
15 the group has y-iuhts --.enabling- read and write BlCc^ss, a 
handle granting :read .and write access is returned, 
otherwise access is denied. Note that for efficiency 
reasons, the security-;; check is. .performed only, when the 
' process 110 fi.rst. attempts* to access-,. the object .112 ..^ 
20 (create or ri^en) , t.ndi: 'chu:s - the. handle to the object , 
' Stores the type ..of access, information, so as to limit, the 
actions that can be performed therethrough..;- . , • 

The security descriptor 116 also, includes a system 
ACL, or SACL 121 , which :Gomprises.. entries jof type audit 
25 corresponding . to client actions that are to be . audited. - 
Flags in each entry indicate whether the audit is 
monitoring successful or - failed operations, and a. bitmask 
in. the : entry indicates the type of operations that are to 
be audited'. A security ID in the entry indicates. , the 
30 ..user or group, being, audited. For example, consider, a 
. situation wherein a; particular group is being audited so 
as to determine whenever a member of that group that does 
not have write access to a file object attempts to write 
to that. file. The SACL 121 for that file object includes 
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an audit entry having the group iz^.ecurity identifier 
therein along with an appr:opriately. set fail flag and; 
write access bit. Whenever a -client belonging to . that 
particular group attenpts to. write to the file object and 

5 fails/ the operation rs logged.; jFor purposes of 

simplicity/ auditing will not be described in detail 
hereinafter, however., it.. can be readily appreciated that 
the concepts described with: respect . to .access control, via 
restricted SIDs are applicable to:, auditing operations. 

0 Note that the ACL 12 0 may contain one or more ■ 

identif iers that are. marked ;f or. denying users of groups 
access (as to all rights orr selected;; rights) :; rather than 
granting access thereto.. For. example, one entry listed 
in the ACL- 120 may- otherwise- alLow^members of Groups" 

5 access to the object 112,.: but~ ..another entry in the ACL 
120 may specif ically~. deny uGroups^'^r >:all{': abC.cess . ; ■ If the 
token 100 includes the;.'*Group24''- rsecurtty^^ IRr access v/ill 
be denied regardl ess; ;o-f.v.±he ■presence . o^^f^^ Groups" 
security ■ ID. - Of coursev.to.' functionvproperly.,^ the , 

0 security check :is arranged so asj .tol -.note :al low yaccess via - 
the Groups" ' entry - before: checking; thei, DENY ALL" status 
of the Group24 entry, .such as ;by ^placing- all- DENY entries 
at the front of the ACL 120. As can be appreciated, this 
arrangement provides for improved -..efficiency, as one or 

5 more isolated members lof a group .may be separately 
excluded in the ACL 120 .rather; than having to . 
individually list each of thei remaining members of a 
group to allow their access . , , 

Note that instead . of - specifying a type of access, a 

0 ~ caller may request a MAXTMUM_ALLOWED access, whereby an 
algorithm determines the maximura typ>e of access allowed, 
based on the normal UserAndGroupa list- versus each of the 
entries in the ACL 120. More particularly, the algorithm 
walks down the list of identifiers accumulating the 
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rights for a given user (i.e. OR-ing the various 
bitinasks) . Once the ^rights : are -aGcxamulated/ the; user is 
given the accumulated rights/ However, if .during the. 
wal^kthrough a deny entry is found that matches a user . or 
5 group identifier and 'the requested rights , access is 
denied.' , . : , / 

* A restricted- token is created from an existing,... 
• access token (either - restricted or oinrestricted) , . and has 
less access than (iie., has^.a subset ^ of -the rights and 
10 privileges of) a user' s normal token, r :Asr used herein, a 
- user' s ^normal" token is that: which ; grants access solely 
based one the identity of -the user (via. users or groups), 
with no additional-' restrictions, placed thereon- A 
restricted token -may- nob allow -access to a resource via 
15 one or more user or~^'-group: security IDs specially marked 
as ^USE_F0R_DENY_iONLY>'/ff;: even -though . the. /u^er' s normal 
token allows aece^s^-via those) 'SIDs^ and/or: may have 
privilege's r^iboved:d:h:a1r^ :;arei presBn±;^.a luser! s normal 

token. As .alsO-^'desG3^il>ed/Jbelt)w>r if the; restricted token 
20 ■ includes an!y =re*stric1:exi' s:e cur il: yrl D.s, . ;t he -^^t^^ 
' subject to- -to 'additional: .^access. ch'^ 
restricted security ilDs J are compared.-agains.t the entries 
in the object's AGOii^.^ 3/ J.,.': ■ :k: 

In accordance withr ;one :as.pect..:6f.<:the: invention, an 
25 access token is created : for - a::user :basedron:.both the 

identity of the user .^and-.the jlocatidri. from^which the user 
is connecting. In. general;' therlless -trustworthy the 
location, the more the token-- is vrestricted as to: the 
resources the ^associated process. may access and/or the 
30 actions it' may- perform on those resources. For example,, 
a user that is connected.. via a LAN may have a normal 
token associated with. that user's processes, while the 
same user connected • via RAS may have his or her processes 
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associated with a restricted -.token -that is stripped of 
all privileges. . o \. 

' As mentioned ' above, one way ^in which to- reduce 
access is to change an attribute rof one or raore user 
5 cind/or group security -identifiers - in a^^ restricted token 
■ so ai - to be -unable to allow eacee'ss, rather than grant 
access therewith: Security IDs xaarked. USE_FOR_DENY_0NLY 
are f ectively - ignored, for- purposes' of granting access, 
however/ an ACL^ .that-:has : a ^DENY'- : entry, for that . security 

10 ID will^ still cause access to be. denied, * By way of 

exMiple; if the Group2 seeurxty ID in the restricted token 
124 (FIG. 9) is marked^ USE_^F0R2^ENY_0NLYv -When the user's 
process attempts to access..^ anKvobject 112 having the ACL 
120 -that lists Groups as allctWed;:^^:^ that -entry is 

15 effectively ignored and the rproctdss .will/ have to gain 

access by some other security ID, Howevex, if the. ACL 80 
includes ah entry listixtg: Groxifie '-asc DEMYv.-with respect to 
the requested type "o^.: :'acidonv ^then :.Tancse: :tested/ no: access 
will -be gr of I c<pt±ie^ /security. IDS'. 

2 0" As ■ can-' be appreciated, * .this.': '.pro vixieiS' .a sierver with 

the ability to restrict a user^':s .^r group' s access to an 
object based' on th^ location, crf/jthe -user . As described 
above, the- IP 'address rang^ - may :be^.^ based on the 

user' s location, 'es-.-g . , ^trusti'level - zerO' if connecting to 

25 the local ma^chine, -trust vl^evel one if connecting from, the 
-intranet or' other triisted site. ;^ '/level two . if via RAS from 
an authorized telephone ::numberv: and^. level three 
otherwise. This range of addressesr is /-then examined to 
■ mark certain grotlps as USE_FOR_DENY_ONLY. . 

30 By way of example, consider a user .. identified as 

UserX having a normal access token including a 
'^TopSeeret" SID, a Confidential'' SID, . and an ''Employee" 
SID, each of which grant access to TopSecret, 
Confidential and Employee files (based on their ACLs) 
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respectively. If Usex^K :.is , at trust level zero, UserX' s 
normal token is used and there are no location-based 
restrictions placed thereon. However if at trust level 
one/ then the TopSecret- SID' is marked USE_FOR_DENY_ONLY 
in -UserX's access token. Similarly, if at trust level 
two, then both the TopSecret SID and. the Confidential ■ SID 
are marked USE_F0R^DENy^ONLY^ while if at level three, 
then the- TopSecret: SID,;.:: the ^Confidential SID and the ^ 
Ejnployee SID are marked 1JSE_F0R^DENY__0NLY . Note that 
access to objects cannot be safely reduced .by simply, 
removing a : security ID from: a user's token, since that 
security ID^ may ' be marked , as '"^ DENY'' in the ACL of some 
objects, whereby removing; that identifier would grant - 
rather than deny access-- to those objects. Moreover, no 
mechanism is - provided: to. turn off this USE__FOR_PENY_ONLY 
security cheok'.^:^'^^-:\c^ ..Ct\ :\ : - 

: ■ . Ariother wayr-^'t access in a restricted token 

is to remove, one. or :more privileges relative to, the : 
parent token. - ^ For example^ a .user having a normal token 
with administrative privilege's; may be restricted via the 
■ location^based. system :of: ' the pres.ent invention such . that 
unle'ss the user is ^dlre'ctly .connected to the local • 
machine '60, ..the user-^ s processes will run with a ^ 
restricted tokenrhaving no ',or ,in som.e way reduced 
privileges. As can,.be appreciated, .the privileges that 
" remain-may also be based on levels of trust, e.g., all 
privileges if local (level '^zero) , some if level one, none 
if level two or . three , v, . - - . 

Yet another way to reduce a .token' s access based on 
the user' s location = is to add restricted security IDs 
thereto. Restricted security IDs are numbers, 
representing processes, resource operations and the like, 
made unique such as by adding a prefix to GUIDs . or 
numbers generated via a cryptographic hash or the like. 
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and may include inf orination- /.t.o...di:si:in-guish "these Security 
IDs from other Security IDs As describ.ed below, if" a 
token includes any restricted' security' IDs/' the token is 
subject to an additional. -access;: ch^ck wherein the 
5 restfjLct.ed securi.ty IDs are cdmpa^^ entries 
in the object's ACL. Thus, for example, a Restricted SID 
may^'^pecify -""RAS^:'' . whereby unless.: an. vObject' s ACL has a 
"^RAS" entry/ the user wilTlf^ access to that 

obrj ect . . ■ X r .- : " o:: w e:?- m" ^- r.- h .■ z/ r^V 

10 ,As._shown in 'FrGV X^strXpt are 

placed in a special' f i.eld '12;2-:r:of a . restr:^icted jtoken 124, 
and, ■ in accordance with the ■pre - 
identify a location from which a process is requesting an 
action.. As described in more detail below, by requiring 

15 that both at least one user .(or group) .^sec^rity ID and at 
least one restricted security-II>-"be--g^anted -access-- to^ ^ 
object, an object may selectively grant accesS; ibased on 
that location (as well, as a user or^ group^ V ; M^^ 
each of the locations may be grantefi^idi.ffer^^ access ; 

20 rights... \. \, '^'.'^i^..^''^':^?.^ 2'^^ '/ 

The design provides; :foxj. :S:i?gni$icant" .f:lex^^ and 
granularity within the cohtekt^ of a user to control what 

a user is allowed -to do from a given -location. By way of 

example, consider the above example wherein users 

25 connecting from the local machine are level zero trusted, 
users connecting from the intranet and trusted sites are 
level one trusted, users connecting from authorized phone 
numbers (through RAS) and the Internet are level two 
trusted and users connecting from restricted sites or 

30 unauthorized phone numbers are level three trusted. 

Then, based on the user's location, (e.g., as ascertained 
from the user's IP address), level zero through level 
three trusts may been defined according to some 
predetermined policy to run as follows: 
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Level 


Re srr^iXG-t ions' in Security Context 


• : 0 

1 ■■ - 

2 
3 


No' additionai restrictions, are placed on .the: 
user's, security context ^ 

Users- operate under restricted context, such 
as with privileges removed from highly, 
sensitive operations, e.g., Backup/Restore • 

Users operate under restricted context with 
all SIDs. still enabled, but no privileges. 

Users operate under restricted context, which 
has_all SIDs disabled using the 
USE_FQR_DENY_pNLY bit, except, e.g. , constant 
ones such as Everyone and Authenticated Users. 
All privileges are removed as in Level 2. 



To^ create a restricted token from an existing token, 
an application programming' interface (API) is provided, 
named NtFiiterTok^h^, "'as set forth below: 



NtFiltexToken, L . ^ _ 

ik HANDLE Exl%t'ihgtofcehHah^ 
IN ULONG Flags"/ : : - . ' : ; . . 
IN PTOKEN_GROUPS SidsToDisable OPTIONAL, 
IN PTOKEN_PRI VI LEGES PrivilegesToDelete OPTIONAL, 
' -IN PT0KEN_GR0UP3: K^^itrictingSids OPTIONAL, . 
OUT PHANDLE NewTokenJHandle . 

)";■ 



The NtFilterToke'n A#I is ' wrapped under a Wih32 API 
named CreateRestrictedToken, ' further * set forth below': 
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WINADVAPI ^'-Ij'^ - ' 

BOOL - . • : ;^ . -q--:. 

APIENTRY 

CreateRestrictedToken ( -* 
IN HANDLE ExistingTokenHandle, 
IN DWORD, Flags, 

IN DWORD DisableSidCount, . " . / ' - ' ^ 

IN 'pSID_AND_ATTRIBUTES SidsToDisable OPtlOkM,,^ 
IN DWORD DeletePrivilegeCount, „ ^ 

IN PLUID_AND_ATTRIBUTES PrivilegesToDelete OPTIONAL, 
IN DWORD RestrictedSidCount, 

IN PSID_AND_ATTRIBUTE's SidsToRestrict OPTIONAL, 
OUT PHANDLE NewTokenHandle 

■ ) ; ' ' ' ^ ' 



As represented in FIGS. 8/ and 10: - 11, these .APIs 
126 work in conjunction to take- an. existing* token 100, 
either restricted or unrestricted, and create a modified 
5 (restricted) token 124 therefrom;- ^ The rstructure of a 
restricted token, which contains' the identification. 
' - information -about an instance- of a logg.ed-on user, ^ 

includes three nev/ fields ^corr^sp'dndirig to restrictions, ■ 
ParentTokenId, RestrictedSidCdunt ^and RestrictedGids, 
10 shown in boldface belowj- ' ■ — ■ . : • . . - . 

Typedef struct _TOKEN { : * : " ''^ ~: ~ / • ' ■ . _ .. '. "^^ 



TOKEN_SOURCE TokenSource; _ 


// 


Ro : 


16-Bytes 




LUID Tokenid; " ^ ' 


" // 


Ro: 


o- 


-Bytes 




LUID Authenticationid; . ; . , 


// 


Ro: 


8- 


-Bytes 




ZXJTD ParentTokenId; 


// 


Ro: 


8- 


-Bytes 




LARGE_INTEGER ExpirationTiiTie; ' 


' // 


Ro : 


8- 


-Bytes 




LUID Modifiedid;. . . . - . - 


// 


Wr: 


8- 


-Bytes 




ULONG UserAndGroupCount; . e 


.// 


Ro : 


4- 


-Bytes 




xnjQK96 RestrictedSidCount; 


// 


Ro : 


4- 


-Bytes 




ULONG PrivilegeCourit; - 


7/ 


Ro : 


4- 


-Bytes 




ULONG VariableLength; 


. // 


Ro : 


4- 


-Bytes 




ULONG DynamicCharged; 


// 


Ro: 


4- 


-Bytes 




ULONG DynamicAvailable; 


// 


Wr : 


4 


-Bytes 


(Mod) 


ULONG Def aultOwnerlndex; 


// 


Wr : 


4 


-Bytes 


(Mod) 


PSID_AND_ATTRIBUTES -UserAndGroups; 


// 


Wr: 


4 


-Bytes 


(Mod) 


PSID AND ATTRXBUTES RestiirlcliedLSxds ; 


// 


Ro: 


4 


-Bytes 




PSID PrimaryGroup; 


// 


Wr : 


4 


-Bytes 


(Mod) 


PLUID_AND__ATTRIBUTES Privileges; 


// 


Wr: 


4 


-Bytes 


(Mod) 


PULONG DynamicPart; 


' // 


Wr : 


^4 


-Bytes 


(Mod) 


PACL DefaultDacl; 


// 


Wr: 


4 


-Bytes 


(Mod) 


TOKEN TYPE TokenType; 


// 


Ro: 


1 


-Byte 
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SECURITY_IMPERSONATIOISJ_LEVEL 

ImpersonationLevel; // Ro: 1-Byte 

UCHAR TokenFlags; // Ro: 4-Bytes 

BOOLEAN TokenlnUse; . . _ // Wr: 1-Byte 

PSECURITY_TOKEN_PROXY_DATA ProxyData; // Ro: 4-Bytes 

PSECURITY_T.OKEN_AUDIT_DATA AuditData; / / Ro : 4-Bytes 

ULONG Variable Part; ■ - " ' // Wr: 4-Bytes (Mod) 

} TOKEN, * PTOKEN; ' . 



Note that when a normal {lion-restricted) token is now 
created/ via a CreateToken API, the RestrictedSids field 
i^ empty, as is the ParentTokenId field. 
5 To create a restricted token 124, a process calls 

the CreateRestrictedToken API - with appropriate flag 
settings and/or inf orma.tiQn in the input fields, which in 
turn invokes -ttie NtFilterToken API. As represented 
beginning at :stc-p IQOQ. of FIG.- .10, the NtFilterToken API 
10 checks to see If /e: l^g^ jr^ned: JXLSABLEJ^l?^ is set, 

which indicc^tes that, adlo ::SeraiJreit;^ in the 

new, restricted token 124 shoul.d:>it>e marked as 
USE_FOR_DENY_ONLY . The' f lag ~pr6v^^ way to 

restrict the (possibly many) groups in' '^^^ 
15 needing to individually identify each of the^ gr^^ If 
the f lag is set, • step 1000 branGhes,vt^^^ 
sets a bit indicating USE_FOR_DENY_ONLY'^'oii- each^^ of 
group security IDs in the new token::124 ; : : . • j.: 
If^ the DISABLE _MAX__S IDS flag is^ n^^ 
20 1000 branches to step 1004 to test if -any • sec^^ 

are individually listed in a SidsToDisable Field of the 
NtFilterTpkei>. API . As shown at step 1004 of 'FIG., 10,, 
when the pptibncil SidsToDisable input field is present, 
at step 1006, any Security IDs listed therein that are 
25 also present in the UserAndGroups field 102 of the parent 
token 100 are individually marked as USE_FOR_DENY_ONLY in 
the UserAndGroups field 128 of the new restricted token 
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124. .As described above, such S^rtcur j.ty IDs can only be 
used to- deny, access and cannot ■ be us.ed to grant access, 
and moreover, cannot later ;be removed or enabled.. Thus, 
in the example shown in FIG./.. 8,'. the Groupa' securirty .ID is 
5 marked as USE_FOR_DENY_ONLY. in the restricted token 124 
by having specified the .Grdupa-security- ID in the 
SidsToDisable input ::field : of : the :NtFilterToken API 126. 

The filter process then continues to step 1010 of 
FIG. 10, wherein a' flag named DISABLE__MAX_: PRIVILEGES' is 

10 tested. This flag may: be simil^arly , set as a convenient 
shortcut to indicate that all privileges . in the new,- 
restricted token 124 should -be: removed. > If set , step 
1010 branches to step 1012 which: deletes all privileges 
from the new token 124.. ■s/::...iT-. 

15 If the flag is not set, step ;10;1,0.: branches to step 

1014 wherein the optional .PrivilegesToDelete fields is 
examined. If present: when the NtFilterTbken API'_126 /is 
called," then at step 1016vi: any:.privi:iejgels listed:- in. this 
input field that arei.a^lso:. pr,es;eint in: ±hevprdyi:legeS;^ field 

20 1 08 'of the exist ing token: a:Q<) ..are; :indiv-idually; removed 
from the privileges f ieldv 13:0: :o:fi th^ new token 124 i In 
the example shown in FIG. 8> :. the: privileges shown as 

Privileges " to ^Priv:Llegem"'^^T:have: been removed from the 
privileges field 130 of the :new token 124 by having. 

25 specified those privileges- :in the :Pr.ivilegesToDelete 
input field of the NtFilterTdken API :126 . - In keeping 
with one aspect of - the pi^esent invention, as described 
above, this provides the ability to. reduce the privileges 
available in a token based on the. location of a user . 

30 The process continues to stop 102G of FIG. 11. 

When creating a restricted token , 124 , if SIDs are 
present in the RestrictingSids input field at step 1020, 
then a determination is made as to whether the parent 
token is a normal token or is itself a restricted token 
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having restricted SI'Dps;. An. API, IsT.okenRestricted is. 
called at - step 1022, and resolves- this question by 
querying (via the NtQueryInf orraationToken API) the 
RestrictingSids field of the "parent token to see if it is 
5 not NULL, whereby if^ not NULLI>- the parent token is a.. 

restricted token. and:^^fche;cAPI-^returns a TRUE. If the. test 
is not satisf ied,^ L.the v-pa^ normal token and 

the API returns a^^FALSE .v :Note : that for ..purposes of the 
sixbsequent steps:::i;026 ,;or : 1028, -a. parent token that is 
10 restricted but -does mot have- restricted SIDs (i.e., by 

having privileges iremoved and/or USE_FOR_DENY_ONLY SIDs) 
may be treated as^ being .-not restricted. 

At step 1024, '-:.^ifr!the- parent token has restricted / 
SIDs, step 1024 branches to step 1026 wherein any 
15 security IDs '^thato are^i in both the parent token's 

restricted-' SeciirityolDI field and the API's restricted 
Security ID-d^hput: ri5:t ane put into the restricted 
- SeGurit]J^ :^ID ^f±^ld: ISSoof-the rnew token 12 4-. ;Requiring 
restricted^- security :XDsatc:; ba; common to both , lists 
20 presents' a^^ restxi:Gte^r.:exec^ context from„ adding .more, 

security^ IDs -to . thfe^^ ffestricted Securi ID .field 132, an 
event which ::Wo*uld/:ef feet ively increase rather than, 
decrease •access:;-*--.''"Si-milarly> if none are common at step 
426, any token created/rStill has to be restricted without 
25 increasing the" access: thereof , such as by leaving at 

least one restricted iSlD Tfrom the original token in the 
- new token. Otherwise, an empty restricted SIDs field in 
• the new tokeni-might indicate -that .the token is not 
restricted, an event . which would effectively increase 
30 rather than. decrease access . 

-Alternatively, if at step 1024 the parent token is 
determined to 'be. a .normal token, then at step 1028 the 
RestrictingSids field 132 of the new token 124 is set to 
those listed in the input field. Note that although this 
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adds security IDs, access is actually decreased since a 
token having restricted SIDsis kUbject to a secondary 
access test, as described in more detail below. 

Lastly, step 1030 is also executed, whereby the 
5 ParentTokenId 93 in the new t-oken 124 is set to the " 
Tokerild of the existing (paVent:') token. This provides 
the" operating system with 'the option of later allowing a 
process to use a restricted Version of its token in 
places that would not normally be allowed except to the 

10 parent token. 

Turning an explanation of the access' evaluation with 
particular reference to B'IGS. 12 -14, as represented in 
FIG. 12, a restricted process 134 -has been created and is 
attempting to open a file object" 110 with read/write 

15 access. In the security descriptor of the object 112, 
the ACL 120 has a number of security-IDs listed therein 
along with the type 'df access^ aliowSd^^Tor^ each ID, 
whereixi "Rb" indicates that 'read-only- acces^^ is allowed, 
"WR" indicates read/write' acee^s^ and "SYWC" ' indicates 

20 that synchronization" access is- al-lbwed. Note that 

*XJones" is specifically denied access to the object 72, 
even if ^XJones" would otherwise be allowed access 

• through membership in an allowed group. Moreover, the 
process 94 having this token 84 associated therewith will 

25 not be allowed to access any object via the "^Basketball" 
security ID in the tokeh84, because this eritry^ is marked 
^ DENY" (i.e., USE_FOR_DENY_ONLY ) . 

As represented in FIG. 12, restricted security 
contexts are primarily implemented in the Windows NT 

30 kernel. To attempt to access the object 112, the process 

• 134 provides the object manager 114 with information 
identifying the object to which access is desired along 
with the type of access desired, (FIG. 14, step 1400) . 
In response, as represented at step 1402, the object 
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manager 114 works in, coJijunction_ with the security , 
laechanisin 118 to compare thf? user and group security. IDs 
listed in the token, 124 (associated with the process 134) 
against the entries, in^the- ACL 120, to determine if the 
5 desired access should be granted^.or denied* 

As- generally represen^zed; at step 1404, if access is 
. not allowed for the listed .u^er- or groups, the security 
check danies access at s.tep ,1.414. However, xt the result 
of the user and , group portion of the access check 

10 indicates allowable access at step 1404, the security 
process branches to step 1406 to determine if the 
restricted token 124 has any restricted security IDs, If 
not, .there are-- no additional restrictions, whereby the 
aacBSS check is complete and access is granted at step 

15 1412 (a handle . to. the Qbject is returned) based solely, on 
user and group access .; j -.In this-manner, a normal token is 
essentially checked .^s - be por^^ Howeyer, . if the token, 
ir^.cludes restrcictp.d:.§eGur:ity,^^ by step 

1406, then a /secondary.. jaceess.,^ at step 

20 140e by comparing ,the.t restricted, security IDs against the 
.. entries in the. ACL 12:0 .r... If . this second access test 
alloivs access at. .step .1.410, access . to the object is 
granted at. step 1412. : .If npt,. access is. denied at step 
1414, , . . : • , . . 

25 : As logically represented in FIG. 13, a two-part test 

.„ is thus performed whenever re5tr,icted Security IDs are 
present in the token 124, Considering the security IDs 
in the token 424 and the desired access bits . 136 against 
the security descriptor of the object 112 , both, the 

30 normal access test, and (bitwise AND)-,, the restricted . 

security IDs access test must grant access, in order for 
the user's process to be granted access to the: object- 
As described above, the normal access test proceeds 
first, and if access is denied, no further testing is 
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necessary. Note that access m^iy:b6 denied either because 
no security ID in the token matched an identifier^ in the 
ACL, or because an ACL entry specifically denied, access 
to the token based on a security- identifier therein* 
5 Alternatively, a token may be arranged to have multiple 
sets' of restricted SIDS, , with a more complex Boolean _ 
expression covering the evaluation of those SIDS, e.go, 
grant access if set A OR (set B AND set C) allow access- 
Thus, in the example shown in FIG* 12, no access to 
10 the object 112 will be granted to the process 134 because 
the only Restricted SID in the token 124 (field 132) . 
identifies 'RAS" while there' is no counterpart restricted 
SID in the object's ACL 120. " Although the user had the 
right to access the object via a process running with a 
15 normal token, the process 134 was restricted so as to 

only be able to access objects" ha¥^itig ^a-'*-RAS''. SID (non- 
DENY) in their ACLs . " - ^.^ . . .i. - - . ^ 

Note that instead 6f specif yiAig^'^^^ of access, 

the caller may have specif f^d^>IAX^ 
20 whereby as described above, an aigorithia^waiks through 
the ACL 80 determining the' maximum access • With : 
restricted tokens, if any type of user or group access at 
all is granted, the type ot types of access rights 
allowable following the liser and groups run" is specified 
25 as the desired access for the second run, which checks 

the RestrictedSids list. In this way, a restricted token 
is certain to "be granted less than or equal to access 
than the normal token'. ■ 

Lastly, it should be^ noted that access tokens may be 
30 further restricted according to criteria other than just 
location-based criteria. Indeed,' restricted tokens allow 
the setting up of restricted security contexts based on 
other criteria including the identity of the process 
(e.g., Microsoft Excel) that is attempting to access a 
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resource. Moreover;- tKe:\rarious criteria may be. combined 
t6 determine access "rights'; ■ Thus, fo.r example, RAS ^ 
access to a network f ile^ may be -allowed if a- user is , . 
opening the' file via Microsoft Excel, 'but .not. via 
5 Micrbsbft Word. 'As can -be appreciated, ,.-a virtually 
limitless number of loc%tioh-based. corobi^nations with 
other criteria for seour-ity- discrimination are feasible. 

Au then ti ca t i on . 
10 In accordance with one aspect of the present 

invention,- when a client connects to a server, the server 
. . authenticates the client, and ^yi Ids a token for that user 
based on the client: s,. identity and location information. 
For example, as shown, in _FIGS . 15 and 16, in one well- 
15 known- type ;,of:aut>ea^tic,atiQn (i . e . , _ NTLM) , the client 

user 200, prpy-i-des ;;cr.^4entaals,.2^ including a user ID to 
a server 204, which then communicates with a domain 
server 2 G 6. fcor,e;rea1^e,.a , chaJl fe^ge for that us er based on 
the user' srstqredj.e.?>C£i^t,e^^^^ As represented in 

20 FIG: .15, ■ thev/s.^rve^,.-j,204 returns, the challenge to the 

client 2.0:2, and,,if^,tt!Le,, c.ll^^^^^^ responds, the user 

• ' is authenticated. _,; ■• ■ . ... . 

• In keeping, with the. present invention, however, 
father than simply buildir^g. a normal token for the user, 
25 the user inf oritiation i s combined, with the_ location 

^ information -208 by a security subsystem / provider 210 to 

„,4.„ -, ^-^o-i-^-i /-haH •i-r^Vc.Ti 212 as described in detail 

above. The restricted token 212 jLs associated with each 
process. 21.4 run , at , the , server 20.4 on behalf ' of any client 

30 process 216-.. ... ■ . . .._ 

AS shp.wn ■in .FIGS. 4.7 and 18, other authentication 

protocols .- including., the Kerboros protocol may also be 

used. in conjunction with the present invention. 

According to the. Kerberos protocol, authentication of the 
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connection to the server 22-.0 :is::accomplished via- a ticket 
222. The -ticket 222-is initiaXry received by the client 
224 from a' ..ticket-issuing facility on the network .known 
as a" Key Distribution Centeir (KDC) 226, The. ticket 222 
5 : . i'^s- re-useaTDle for a period of time, whereby even if the 
session is terminated, the client 130 does not have .to 
repeat the -'authenticatiort process while the ticket 222 is 
stillL ^alid.- • ^ : - - ' > : 

'.r - u.- pn keeping with the invention, the inforiaation in 

10 the ticket '^222 r (which may include restrictions placed 
therein by the client 224) . is* combined by the server' s 
security ^subsys tern /. provider 22 8 with user location 
information -230 - to- create a restricted token 232, as 
described ^in detail above. ' The restricted token 232 is 

15 ^ ^associated --withi each process 234 - run at the server 220 on 
-behalf 'Of 'dny-client'prot;e^s 236;.- ^ 1' 
• • \. ^Simir^rly^f -FIGS:. ^ 19:::;and^20y:v3ho>//^ another 
authentication -pto-t^"^^^ . : In SSL, the client 

user" 240 "^firi^t^-<i)btains ^-Tcertif icate ID -242 from a\ 

2 0 certLf icate^^ an^^ usdng^ publ-ic - key-based ... 

aut-henticatiori. '''-Assumin trusts the' 

certrf icate=~ autih6rity ^^24.6y '^^ user 240 may use 

the -^certiflcatie 1-D: 24-2: to ig-^in^-^acceiss to the server 248. 
As represented - iriv 'FI'G^. •:l'9,"'back-and- forth communications 

25 take -place- between .^the - serve^^^ and client 240 via 

which the' -server" is^ .'abl^-t6^pro the certificate ID 

242 belongs to the- pr^oper-- u^e^^ ' ~ • . 

The certif-i^cate-'ID -242- includes user information 
identifying thai t :user' as one^ having an account with the 

30 network to which the ser^ver 248^' i-s~' connected. The 

information is used to access -a -database" 250 having user 
information (e.g. , security ID, ' group * IDs privileges and 
so on) maintained for the user therein. Then, in 
accordance with the present invention, the user 
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10 



15 



20 



25 



infornation from the -sda.t abase 250 is combined with 
location information 25:2- ;by r.the server' s .security 
'Subsystem / provider 254 to create a: restricted token 256 
as described in detail .above • The restricted token 256 
is .associated with each process 258 run at . the server- 248 
on behalf of any . client .process 260. 

. . As can be appreciated/ the . user information .obtained 
via these and other authentication protocols, may be • 
combined with location; information to restrict a. user's 
access to resoxirces. Moreover > the type of ■ ■ 
authentication itself may be made dependent on the 
location of -the :. user . :..For. example, to^ increase security^ 
a remote connection may require Kerboros or- SSL 
authentication^ ' while a challenge - response. , 
authentication may be; sufficient to authenticate a user 
connecting via a local connection ^ Since the server has 
access to the locationr^insEormation, the server, may decide 
the type o-f authenticationorequired for- a particular 
location. Similarly,/ j th?e:r -type of :;:authentication may be 
used to • discriminat'^r: aqcess rights • ; : For. example, . the 
access rights of SSLi Users^- may: be. ^restricted in ; one way, 
Kerboros users, in -anp.th:^r- way. and NTLM users . in ^still 
another way. In the.majiner des.cr:ibed above^ restricted 
tokens provide, a conveniejit, mechanism tO: implement 
restricted security cp.nte.xfcs- based on a : user' s virtual 
location: and/or type^- of authentication, although other 
enforcement mechanisms are feasible . r . 

While the , invention is susceptible to various 
modifications., and alternative, constructions, - certain 
illustrated -embPdiments thereof- are shown in the drawings 
and have been de3cribed above, in detail. It should be 
understood, howe.ver-, that there is no intention to limit 
the invention to the specific forms disclosed, but on the 
contrary, the- intention is to cover all modifications. 
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alternative constructions/ and equivalents falling*. within 
the spirit and scope of the /invention .m 



- 36 - 



BNSUOCIU: -iWO 9965207A1J_» 



wo 99/65207 PCTAJS99/n913 

WHAT. IS. CLAIMED IS : ^ i--. ■ 

1. In a computer ■ network wherein a -user may 
selectively connect to the network from one of a 
plurality of virtual locations, a method of providing 

5 improved network security/ comprising the steps of, 

determining a location from where the user is connecting, 
selecting an access level for the user from at least two 
distinct access levels based on criteria including the 
virtual location, connecting the user to the network, and 
10 determining access of the user to network resources based 
on information including the access level. 

2. The method of claim 1 further comprising the 
step of assigning an Internet protocol address to the 

15 user, the assigned address dependent on the location from 
where the user is connecting . 

3. The method of claim 1 wherein the step of 
determining a location from where the user, is connecting 

20 comprises the step of evaluating an Internet protocol 
address assigned to the user. 

4. The method of claim 3 wherein the step of 
selecting an access level from at least two distinct 

25 access levels includes the step of selecting the access 
level according to the Internet protocol address. 

5. The method of claim 1 wherein the step of 
determining a location from where the user is connecting 

30 comprises the step of determining that the user is 

connecting to the network via a remote access server. 
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6: . The method of claim 5. .further comprising the 
step of determining whether the user is connecting^via a 
- dial-up connection. 

5 7 . The method of claim 6 wherein the user is 

determined to be connecting . via. a dial-up connection, and 
further comprising the step of : determining the telephone 
number from which the user is connecting, comparing the 
telephone number to a list of registered users, and 
10 - wherein the step of selecting an access level includes 
the step of selecting one level, if the telephone number 
is in the list and . another, level if the . number . is not in 
the list . 

15 8. The method of claim 1 wherein the step of 

determining a location from where the user is connecting 
comprises the . step of determining: cwhe the r the user is 
connecting to ' the network: :via:~a-^ remote ■ access server/ and 
if the user is connecting .via .a ; r emote, access server, the 

20 steip of selecting am access .level- .includes the step of 
selecting an access level corresponding to more ,. 
restricted access rights, 

9. The method of cTaim 1 wherein the step of 
25 determining a location from, where the user is connecting 
comprises the step of determining that the user is- 
connecting to the network via an intranet. 

-10. The m^ethod of . claim 1 v>rherein the step of 

30 determining a location from where the user is connecting 

comprises the step of determining that the user is 

connecting to the network via a virtual private network. 
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11. The method-Xof claim 1 wherein the' step of 
determining access to network resources based on 
information includes the step of determining access based 
on credentials of the user. 
5 . - ' - : / 

^12. The method of : claim 11 wherein the step, of , 
determining access to network resources includes the step 
of creating an access^ token .^f or the user, "\ - 

10 13. The method of claim 12 wherein the access token 

- is associated with each- process ofthe-user^ and wherein 
the step of determining access to network resources 
includes the step of comparing information in the access 
token against security information associated with each 

15 network resource . 

14. ' The :m3:thod^^o:f i "Claim 12 wherein the step of 
creating an .accfes:s" -:token- inc^ludes- the steps of creating a 
restricted token £r.om ^-the user' s ^normal token/ and 

2 0 removing at least . one ^privilege frrom-. the restricted, token, 
relative to the parent '^to ken - 

15. The method of claim 12 wherein the step of 
creating an access- token .-includes^ the steps of creating a 

25 - restricted token f rom.r. the-" user^ s . normal :token, and 

changing attribute information of a:- security identifier 
in the restricted token to use-fox deny only access via 
that security identifier, relative to attribute 
information of a corresponding security identifier in the 

30 normal token.- 

16. The method of claim 12 wherein the step of 
connecting the user to the network includes the step of 
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authenticating the user via a .chalienge • - response 
protocol . - • . . / . 

17. The method of claim 12 wherein the step of . 

5 connecting the user to the network includes the step of 
receiving a ticket -from theruser/^ the., ticket issued by a 
ticket-tissuing -facility . ; . . 

18. The method of claim 12 wherein the step of 

10 connecting the user to the network includes the step of 
receiving a certificate -from.-.the user, .the certificate 
issued by a 'certificate authority: . - . ::. 

19. The method of claim 12 wherein the step of 

15 creating an' access token includes the:, steps of creating a 
restricted token from- the us.erVs-, norma.!: token, .and. adding 
at least one restricted securityi:i^en^if~^ier to the 
restricted token. 

20 20. The method :of claim 1-2: .Lwherein,-: the step of 

determining access to network ^resources : includes- the step 
of comparing user information in the access token and the 
at least one restricted security identifier- against 
security information' associated with each network .. 

25 resource. 



21. In a computer network wherein a user may 
selectively connect to the- network from one of a 
' plurality of virtual locations, a system for providing 
30 improved network security, comprising, a discrimination 
mechanism for determining a virtuad :location from where 
the user is connecting -and for selecting an access level 
from at least two distinct access levels based thereon, a 
security provider for setting up access rights of the 
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user based on inf orirLation^^including the access, level, and 
an enforcement mechanism for determining user access. to 
network resources according to the access rights set up 
therefor / ' ■ - '^ - 



22'; The system "of claim 21 wherein the 
discrimination mechanism assigns an Internet protocol 
address to the user based on the virtual location 
determined thereby, ^ ' ^. - . 

23-. The systems of /Claim 21 wherein the 
discrimination mechanisirl -'evaluates an^ Internet , protocol 
address assigned to the user. 

' 24 . ^ The system, ot- claim 23 wherein the . , 
discrimination mech'^iiism' selects the access- level 
according to the I'titernet . protocol- address,.^ 

25. The system of claim 21 wherein the 

20 discrimination mechahism determines - that the user is 
' - connecting to the 'netwark .via a remote -.access . seryei:.. 

26. The system of 'Claim 25 wherein the 
discrimination mechanism-further determines that, the user 

25 is connecting via a dial-up connection. 

27. The system or claim 26 further comprising a 
list of registered telephone: niimbers and, a galler-iP 
mechanism connected to the discrimination .mechanism, and 

30 wherein the- discrimination mechanism ^lccbssbs the caller 
' ID mechanism to determine a telephone number of the user, 
and accesses the list to determine if the telephone 
number is in the list, and if the telephone number is in 
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the list, determines one access ley.el, and if the niomber 
is not in the list, determines another access level , 

'28. The system of- claim- 21 "vdierein the 
5 discrimination mechanism determines whether -the us^er^. is 
connecting to- the network ^vra a remote access server, , and 
if the user is connecting :-'via a, remote access server, 
further selects an access level^for the :user . 
corresponding to more ' restricted access r.ights .relative 
10 to the user access rights selected for -.a direct 

connection to the network. . ^ - - _ - ... . 

29. The system of claim 21 wherein the 
discrimination mechanism includes, means- for determining 
15 when the user is connecting ^to ther.:ne.twork,via an. , 
intranet. ' ' ' ^* o.-...::,:... ^ r 

30v ' The system' of- claim-?21 iwherein t-he 
discrimination mechanism includes means for determining 
20 when the user is connecting to the network via a virtual 
private network: - ; ; o.::^ : . ; i 

31 . The system of claim 21 wherein- the security 
provider sets up the access ^rights ofeithe user based on 
25 information ihcluding> the credentials., of , the,- user . 

32- The system of claim 21 wherein the security 
provideir creates an access ^token * for; .the user. 

30 33. The system of-claim 32^wherei.n the access token 

is associated with each process" of , the : us.er, and wherein 
the enforcement mechanism determines access to the 
network resources by comparing information in the access 
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token against- securityi information associated with each 
network resource • -^ ^ - - ^^ - r :^:.-. „ 

34. In k computer ser.v^er having files thereon, a 
5 method- 6^" selefctively- restricting access to the^ files, . 

^comprising the ^steps.^of receiving a request from. an. 
entity 'to access a file, selecting -ran access - level for 
the entity from -at leaststwo distinct accessr levels biased 
oh criteria - including the;: type of entity, and determining 
10 access of the entity, to: the file, based on information 
including the access level. 

35. The method; of . claim 34 wherein the entity is a 

- process of a "remoter comP-Uter system, . and wherein the ,step 
15 of selecting ah access' level; for the . entity, from at least 
two distinct access levels includes the step of. assi.gning 
a first access level for processes of the local server 
and a second aGCe^sv;lev:eai.vf or processes of - remote 
■ "computers^ - -'^ ::• :^b;/ ^o^;. i ^. ■-. :\ -r-- r :y ■ :: • 

20- ■ ' :: :^ r::..,rvno rv. ■ 

36. The method of claim 34 wherein the, entity is a 
script running on the computer server, and wherein the 
step of selectin^-'an access level-:, for the entity from at 
least two distirict -access i.ey.els incli^des ■ the step of 

25 assigning^ a distinct aice^eiss :le;vel - for, scripts . 

37 . The method of claim 34 wherein the entity is an 
FTP server running on the computer server, and wherein 
30 the step of selecting an access level for the entity from 
at least two distinct access levels includes, the, step of 
assigning a distinct access level for FTP servers. 
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38. The method of claim 34 wherein the entity is a 
process of a proxy, and wherein the step of selecting an- 
access level for the entityj^from .at least two distinct 
access levels:, includes the -step^ of assigning a first 
5: access level for processes of the ' local server and a 
second .access' ^level for procesbea^,of proxies. ^ -v.... 
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